DATASHEET

Quest®
ActiveRoles® Server
Provisioning, Administration and Security for Active Directory and Beyond ”We’ve experienced a number of benefits of the
system, not the least of which is faster, easier
Businesses today grow and change at a frantic pace, making Active Directory (AD) management
provisioning. The user-creation process used
one of the most time-consuming IT tasks. administrators struggle to keep up with requests
to take up to 25 minutes, and now can be
to create, change or remove user access to various network resources. With the advent of
accomplished in about a minute.”
compliance regulations like the Sarbanes-Oxley Act (SOX), and the intense scrutiny they place
–Siegfried Jagott
on access to business-sensitive applications, organizations can no longer rely on numerous
Consultant
manual provisioning processes to maintain compliance. Siemens Business Services
Add to that the need to tightly delegate control of AD among various administrative groups,
”Paramount to the success of our Active
provide self-service capabilities to users to lighten the IT burden and involve key people in IT
Directory deployment was having automation,
processes through change approval, it’s no wonder that today’s administrators need help.
self-service, and monitoring solutions in place
ActiveRoles Server can help you automatically provision, reprovision and more importantly, from day one,”
deprovision users quickly, cost-efficiently and securely. ActiveRoles Server provides strictly – David Johnson
enforced role-based security, automated group management, a multi-level workflow designer Director of IT
and web interfaces for self service, to achieve practical user and access lifecycle management Georgian College
for the Windows enterprise and beyond. ActiveRoles Server is part of the Quest One Identity
••Protects critical data by strictly
Solution.
enforcing policies and eliminating
Achieve and Maintain Security and Compliance through Identity unregulated access to resources
and Access Management
••Provides a standardized multi-level
ActiveRoles Server helps you achieve and sustain regulatory compliance by implementing
approval workflow designer process
secure, automated and auditable internal controls over granting access to network resources.
for making changes to Active
You can automate all aspects of the account management process, introducing human input
Directory data

••Automates provisioning,
reprovisioning and deprovisioning for
efficient user lifecycle management

••Saves time and potential errors

by providing automated group
management

••Reduces administrative costs by

providing a dynamically configured
and customized Web interface for
administrators, self-service users, help
desk personnel and data owners

••Lightens the IT workload by providing

user self-service capabilities to
directory data controlled by IT
DATASHEET

via a change approval process when needed. This simplifies user and group provisioning, policy SYSTEM REQUIREMENTS
enforcement, segregation of duties and delegation of administrative privileges.
Hardware
ActiveRoles Server automates user and group provisioning lifecycle tasks to reduce your • 1 GHz or higher Intel Pentium
administrative workload and increases user access control whether the user is a new hire, compatible CPU (2 GHz+ )
intra-organization transfer or termination. Ben Worthen, in his CIO magazine article, identified • 1 GB of RAM (2 GB )
that, “Failure to segregate duties within applications, and failure to set up new accounts and • 100 MB or more of free hard disk space
terminate old ones in a timely manner…” is the number one IT control weakness among (1 GB )
interviewed CIOs and auditors. Operating Systems:
ActiveRoles Server provides the ability to deprovision users and groups rather than just • Microsoft Windows 2000 Service Pack 4
delete or disable accounts. ActiveRoles Server comes with default policies to automate some or later (Support discontinued 2009)
commonly-scripted deprovisioning tasks, and permits all provision policies to be tailored to an • Microsoft Windows Server 2003, with or
organization’s specific needs. without any Service Pack
• Microsoft Windows Server 2003 x64
Involve Decision-makers within Key IT Processes Editions
ActiveRoles Server automates the ability to accept or deny operation requests (approval • Microsoft Windows Server 2003 R2
workflow) and to monitor the execution of those requests. This complements business rules to • Microsoft Windows Server 2008, 32 or
make provisioning and deprovisioning decisions based on application or data owners input. 64-bit architecture Operating Systems

Lower Administrative Costs

A dynamically configured Web interface enables users, business data owners and help desk
personnel to perform appropriate administrative tasks on their own. This reduces support costs,
while controlling of your Active Directory environment.

Extend Management Control

ActiveRoles Server extends management control to Unix and Linux identities, including
users, groups and computers, through the optional Support Pack for Quest Authentication
Services , Quest's patented technology for Active Directory-based authentication. Query-based
management views show all of the enabled identities, and business rules ensure and enforce
unique user and group identification.

The solution also includes the following functions:

Controlled Administration: Provides a unique administrative service that acts as a
firewall around AD, so you can reliably delegate control by defining administrative roles
and associated permissions and rules that are strictly enforced. This is the only way to
maintain compliance with security policies.

Automated Provisioning: Automates user and group provisioning, including account

creation in AD, mailbox creation in Exchange, and group population and resource
provisioning in Windows, which helps you save valuable administrative time. ActiveRoles
Server also automates re-provisioning and de-provisioning, helping to ensure an efficient
administrative process over the lifetime of user account or group. This means that when a
user’s access needs to be changed or removed, updates in AD, Exchange and Windows are
made automatically.

User Self-Service: With the simple assignment of self-service roles, end users can carry
out self-administrative tasks, such as modifying their personal data through a simple to
DATASHEET

use self-service Web interface. Due to the reliable enforcement of business roles and rules, SYSTEM REQUIREMENTS (cont.)
ActiveRoles Server makes self-administration safe and secure, while allowing IT to manage
Additional Software:
(but not necessarily participate in) these time consuming tasks. • Microsoft SQL Server 2008 Express
Workflow: Provides a rich workflow system for directory data management automation Edition
and integration. Based on Microsoft’s Windows Workflows Foundation technology, this • Microsoft SQL Server 2000 Service Pack
system enables IT to define, automate and enforce management rules quickly and easily. 4 or later
Workflows extend the capabilities of ActiveRoles Server by delivering a framework that • Microsoft SQL Server 2000 Desk top
enables you to combine management rules such as provisioning and de-provisioning Engine (MSDE) Service Pack 4 or later
of identities in the directory, enforce policies on changes to identity data, route data • Microsoft Data Access Components
changes for approval, provide e-mail notifications of particular events and conditions, as (MDAC) version 2.7 or later
well as implement custom actions using script technologies such as Microsoft Windows • Microsoft .NET Framework version 3.5 or
PowerShell. later Service Pack 1

Auditing and Reporting: Provides a complete audit trail, showing who performed what • Microsoft Internet Information Services
actions and who tried to perform actions that were not permitted. A rich suite of reports (IIS) 5.0 or later (IIS 6.0 )

assists in change tracking and policy enforcement audits and Active Directory monitoring • Microsoft Internet Explorer version 6.0 or
and analysis. By logging all actions in a centralized fashion, ActiveRoles Server enables later (IE 7.0 or later )

administrators to quickly troubleshoot and investigate system issues. • Microsoft Exchange Server 2003, with or
without any Service Pack
Temporal Group Memberships: Automates the tasks of adding or removing group
• Microsoft Exchange Server 2007, with or
members that only need group membership for a specific time period. Makes it possible
without any Service Pack
to add or remove members from groups on a scheduled basis, ensuring that particular
users are members of required groups for only the required periods of time.

A Complete and Extensible Solution: Manage key user assets, including AD accounts,
Exchange mailboxes and home directories. It provides a practical approach for managing
the user lifecycle, including provisioning, reprovisioning and deprovisioning. You can
also customize and extend ActiveRoles Server provisioning, management, security and
automation through ActiveRoles Server support for custom scripts. These scripts are
subject to the same roles and rules as users so you can be confident that they will be
executed properly, by the correct people, and trigged by events you define. In addition to
strong scripting support, several optional add-on applications (listed below) can be added
to ActiveRoles Server to provide for advanced management capabilities.

Optional Add-On Applications for ActiveRoles Server:

ActiveRoles Quick Connect: Enables ActiveRoles Server to provision and deprovision
from an authoritative data source, automatically controlling user access. ActiveRoles Quick
Connect extends ActiveRoles Server into the provisioning process on non-Active Directory
connected systems for end-to-end identity, password and access synchronization. This
saves administrative cost by eliminating effort and reduces errors through automation.

ActiveRoles Management Shell for Active Directory: Provides a set of predefined

commands for Windows PowerShell, the new command line and scripting language
developed by Microsoft. By using the ActiveRoles Management Shell for Active Directory
to build your scripts, you can harness ActiveRoles Server to leverage proven rules, roles,
workflow and attestation features giving you a robust management option for Windows
PowerShell and Active Directory.

ActiveRoles Self-Service Manager: Provides controls to let administrators empower

application and data owners to self-manage their resource access groups in a secure
DATASHEET

and compliant manner. By empowering the information owner, the burden of access
management and compliance is moved from IT to the person who understands the
business justifications for granting access.

Identity and Access Lifecycle Management

Access
M anager
Ac
le s Configure Ac tive
Ro er Access ce R
v s
S e ve

ol M an
ti

s
es a
Re
r

n sp A
Ac

s io

S e ger
rve
ss n si
i

ig b i l
ov

r/
n it y
Pr

er/
S elf-S e S er v
r v i ce
As s i g n
Access

ve R o l e s
Depro
Activ r ver

Acti
vi s
Se
eR o

i on
les

d r
m

ten fo
A
Att udit an Ex Plat
e st d ss -
ation Cro ct
n ne
S
Ac elf-Se Co
ce s ick
s M r v i ce / Qu
anag
er

ActiveRoles Server plays a key role in Active Directory-centric identity and access management.

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software
creates and supports smart systems management products—helping our customers solve
everyday IT challenges faster and easier. Visit www.quest.com for more information.

5 Polaris Way, Aliso Viejo, CA 92656 | PHONE 800.306.9329 | WEB www.quest.com | E-MAIL sales@quest.com
If you are located outside North America, you can find your local office information on our Web site

© 2010 Quest Software, Inc.

ALL RIGHTS RESERVED

Quest Software is a registered trademark of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
DSW-ARS-US-MJ-20100121